Wednesday, July 8, 2009

Microsoft issues rare security warning

Hackers are launching attacks against an unpatched vulnerability in the Microsoft Video ActiveX ControlMicrosoft has released an out-of-band, emergency security advisory and also investigating attacks targeting a vulnerability in Microsoft Video ActiveX Control that could allow a hacker to gain complete control of a system. This news is already making headlines in Information Security world.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention. At this stage, no security patch has been made available by Microsoft.

In this security advisory, Microsoft workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent Microsoft Video ActiveX Control from running in Internet Explorer - See Microsoft Knowledge Base Article 972890 for information on how to implement this workaround automatically.

"Hackers are launching attacks against an unpatched vulnerability in the Microsoft Video ActiveX Control that could allow an attacker to take full control over the system. When using Internet Explorer, code execution is remote and requires no user interaction, Microsoft says."

The bug was uncovered by researchers Alex Wheeler and Ryan Smith, who at the time both worked at IBM's ISS-X-Force. A Microsoft spokesperson said the company first learned of the vulnerability in 2008 and immediately began an investigation.